____________________________________________________________________________________________ ...:: Play with the Registry ::.. - by DiA /auXnet - [GermanY] ____________________________________________________________________________________________ +++++Disclaimer+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +I am NOT responsible for any damage that you do! You can need the code however you want...+ +My motherlanguage is not English, I hope you understand what I mean. + +Feel FREE to write any Comments to + + DiA_hates_machine@gmx.de + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ................................................ . . . Index: _1_ : Intro . . . . _2_ : What the HELL is the Registry . . . . _3_ : Structure of Registry . . . . _4_ : The MainKey's . . . . _5_ : Kewl SubKey's . . . . _6_ : °1° Open and Close a SubKey . . . . _7_ : °2° Read a Value . . . . _8_ : °3° Create a SubKey . . . . _9_ : °4° Set a Value . . . . _A_ : °5° Delete a Subkey . . . . _B_ : Outro . . . . #C# : Appendix = RegCounter . . . ................................................ *** _1_ : Intro *** Here we go again Motherfucker... ;) Yes, here it is, another tutorial from me! In this tutorial i wanna describe the most important things about the WindowZ "Registry". The Registry is a fine thing, in DOS age there was .INI filez where the progs save something. Today in WIN age there are the Registry Of course, it's a new thing (for Newbies :), but I think it's easy to learn and understand. When you checked it, you can do a lot of things with the Registry. But enogh with the silly BlaBlaBla... ...LET'S ROCK 'N ROLL! *** _2_ : What the HELL is the Registry *** In the Registry are saved some important things for WindowZ, Win32 Progs, Bios Stuff and some other interesting things. You can look at the Registry with the WindowZ tool "RegEdit". It's in the WindowZ folder (eg C:\Windows\RegEdit.EXE)... Offer: before you go on with reading, start RegEdit and look at the Registry by yourself, and then go on with the reading, let's do this..... *** _3_ : Structure of Registry *** HKEY_LOCAL_MACHINE, HKEY_USERS, ... WHAT DA HELL IS THIS? Easy, this shit is called "MainKeys", but wait, I show you this all in a nice graphic's... Ok, first open RegEdit then click on "HKEY_LOCAL_MACHINE". You see a tree, right? Ok, go to the following Folders (SubKey's): \Software \Microsoft \Windows \CurrentVersion Now you see some Value's, look for "RegisteredOwner". Yup, here are the graphic's: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion ^~~~~~~~~~~~~~~~~^ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^ | | MainKey SubKey MainKey : it exist 5 MainKey's (ever) and maybe one more (not ever) [ See _4_ ] SubKey : can be everything, your SubKey, SubKey from WindowZ or a Win32 Prog [ See RegEdit ] RegisteredOwner "SillyMotherFucker" ^~~~~~~~~~~~~~^ ^~~~~~~~~~~~~~~~~~^ | | ValueName Value ValueName : you need the name to read, write or delete a Value Value : here saved a String or a Number (eg SetupFlags 02 05 00 00) *** _4_ : The MainKey's *** Ok, now you know the structure of the Registry, but what are the MainKay's: HKEY_CLASSES_ROOT equ 80000000h ;ever HKEY_CURRENT_USER equ 80000001h ;ever HKEY_LOCAL_MACHINE equ 80000002h ;ever HKEY_USERS equ 80000003h ;ever HKEY_PERFORMANCE_DATA equ 80000004h ;ever HKEY_CURRENT_CONFIG equ 80000005h ;ever HKEY_DYN_DATA equ 80000006h ;NOT ever (fuck off) You will see it to use in chapter _6_ ... *** _5_ : Kewl SubKey's *** Here comez kewl SubKey's where you can watch out: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion HKEY_CURRENT_USER\Control Panel\Keyboard HKEY_CURRENT_USER\Control Panel\Mouse HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Look for some other kewl stuff, everyday you will find new things! *** _6_ : °1° Open and Close a SubKey *** Ok, here comez the Code Examples, it's enogh describe... To Compile the Example Progs (? = The current Example Prog): TASM32 /z /ml /m3 Ex?,,; TLINK32 -Tpe -c Ex?,Ex?,, import,lib In this Example we wanna OPEN and CLOSE a MainKey with a SubKey: ;-----cut-----Ex1.asm----------------------------------------------------------------------- .386 ;386+ .model flat ;no registers jumps ;TASM is kewl ;+++++ ; YOU MUST KNOW IT! ;+++++ extrn RegOpenKeyExA :PROC ;open a key (see chapter _4_), with a subkey extrn RegCloseKey :PROC ;close a key ;+++++ ; needed API's for the Example Prog ; for more infos look at the Win32 Programerz Referenz from WindowZ ;+++++ extrn MessageBoxA :PROC ;show a message, only to see that it workz extrn ExitProcess :PROC ;to exit the Example Prog ;+++++ ; only needed that you see that it workz ; i think you know this shit ;+++++ HKEY_LOCAL_MACHINE equ 80000002h ;define the MainKey ( _4_ ) ReadAndWrite equ 001F0000h ;flag to read and write something (Value, SubKey...) ;+++++ ; the code is clearer, TASM makes it ;) ;+++++ .data SubKey db 'Software\Microsoft\Windows\CurrentVersion',0 RegHandle dd 0 ;handle for the current open SubKey ;+++++ ; Ok, here is the SubKey string, it must be a NULLterminated string ; in RegHandle we are save the handle ;+++++ oTitle db '°Play with the Registry° - Example Prog - °1°',0 oMsg db 'Now the SubKey is open:',10,13 db 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion',10,13 db 'OK, to close the SubKey',0 ;+++++ ; for the message, only to POSE ;) ;+++++ .code start: ;+++++ ; BAH! ;+++++ push offset RegHandle ;here saves the Handle push ReadAndWrite ;Read and Write flag push 0 ;NULLLLL push offset SubKey ;pointer to the SubKey string push HKEY_LOCAL_MACHINE ;see up, defined call RegOpenKeyExA ;call the API ;+++++ ; this is the funktion to open a MainKey and a SubKey ; after the work the handle is saved in RegHandle ; for more infoz about API's look at th Win32 Referenz ;+++++ test eax,eax ;if not NULL jnz Exit ;then ERROR -> Exit ;+++++ ; here we test if there is an error (eg: can't open SubKey...) ; test eax,eax = cmp eax,00 ;+++++ push 0 ;NO style push offset oTitle ;title of message box push offset oMsg ;msg in the message box push 0 ;no window call MessageBoxA ;call the API ;+++++ ; here we show that the SubKey is opened and the handle is saved ;+++++ Exit: push dword ptr [RegHandle] ;push the value of RegHandle call RegCloseKey ;close the key via saved handle ;+++++ ; ok, here we close the SubKey with the handle (RegHandle) that we are have save ;+++++ push 0 ;NULL call ExitProcess ;exit it ;+++++ ; afte work exit the prog ; if there is any error, exit it too (no message) ;+++++ end start ;+++++ ; ya know... ;+++++ ;-----cut----------------------------------------------------------------------------------- Run the Prog: If you see a Message then the SubKey is opened... If no Message, then is any Error... (SH!T) *** _7_ : °2° Read a Value *** In this Example we wanna OPEN a MainKey with SubKey ( see _6_ ), then READ A VALUE (RegisteredOwner), and CLOSE the Key: ;-----cut-----Ex2.asm----------------------------------------------------------------------- .386 .model flat jumps ;+++++ ; what must I say??? ;+++++ extrn RegOpenKeyExA :PROC ;see _6_ extrn RegQueryValueExA :PROC ; to raed a value from a SubKey extrn RegCloseKey :PROC ;see also _6_ ;+++++ ; only RegQueryValue is new: to read a value ; if you don't know the other shit, look ine chapter before ;+++++ extrn MessageBoxA :PROC ;to show a message extrn ExitProcess :PROC ;to exit ;+++++ ; to show the read Value ; and exit ;+++++ HKEY_LOCAL_MACHINE equ 80000002h ;see up ReadAndWrite equ 001F0000h ;,too! ;+++++ ; I don't describe thing's when that are in a other chapter before! ;+++++ .data SubKey db 'Software\Microsoft\Windows\CurrentVersion',0 ValueName db 'RegisteredOwner',0 RegHandle dd 0 ;here saves the handle lpType dd 0 ;the type to read Size dd 100d ;the size for RegisteredOwner string Owner db 100d dup (0) ;here we save the string ;+++++ ; oh, some new shit... ; ValueName contains a NULLterminated string, ...ValueName ( see _3_ ) ; lpType is the type to read, must be a offset ; Size is the size for buffer, must be a offset ; Owner is the buffer, where we save the Value-String from "RegisteredOwner" ;+++++ oTitle db '°Play with the Registry° - Example Prog - °2°',0 ;+++++ ; here the Title of the message box ; message is the read Value from "RegisteredOwner" ;+++++ .code start: ;+++++ ; NO QUESTIONZ! ;+++++ push offset RegHandle ;if you don't know, look at chapter _6_ push ReadAndWrite push 0 push offset SubKey push HKEY_LOCAL_MACHINE call RegOpenKeyExA ;+++++ ; Open the SubKey ( see _6_ ) ;+++++ test eax,eax jnz Exit ;error? ;+++++ ; if error jmp to Exit ;+++++ push offset Size ;size of buffer push offset Owner ;here we save the Value push offset lpType ;type to read push 0 ;NULL push offset ValueName ;name of Value to read push dword ptr [RegHandle] ;push the handle of the open SubKey call RegQueryValueExA ;API ;+++++ ; here is the new API "RegQueryValueExA" ; after work the Value is in "Owner" ; now we have the Value ;+++++ test eax,eax ;error? jnz Exit ;+++++ ; here we check if there is a error to read the Value ;+++++ push 0 ;show a message push offset oTitle ;title push offset Owner ;show the value that we read =) push 0 ;NULL call MessageBoxA ;+++++ ; what must I say??? ;+++++ Exit: push dword ptr [RegHandle] ;close the SubKey after work call RegCloseKey ;via handle ;+++++ ; see _6_ ..... ;+++++ push 0 call ExitProcess ;+++++ ; exit the prog ;+++++ end start ;-----cut----------------------------------------------------------------------------------- So, when you run the prog, you see a message box with the current Registered Owner... If there is any error, then NO message... *** _8_ : °3° Create a SubKey *** Now we can Open a SubKey, Read a Value and Close a SubKey... That's enough, good night. WHAT? It's NOT ENOUGH, Ok, Ok. ;) In this Example Prog we wanna Create a SubKey! We create "TE$T" in HKEY_LOCAL_MACHINE\System But let's see: ;-----cut-----Ex3.asm----------------------------------------------------------------------- .386 .model flat jumps ;+++++ ; don't ask! ;+++++ extrn RegOpenKeyExA :PROC ;see _6_ extrn RegCreateKeyA :PROC ;create's a new subkey extrn RegCloseKey :PROC ;see _6_ ;+++++ ; only one new API, RegCreateKeyA ; simply, creates a new subkey in the current open key ;+++++ extrn MessageBoxA :PROC ;show message... extrn ExitProcess :PROC ;exit the prog ;+++++ ; show & exit =) ;+++++ HKEY_LOCAL_MACHINE equ 80000002h ;define ReadAndWrite equ 001F0000h ;only for TASM ;+++++ ; see up... ;+++++ .data SubKey db 'System',0 ;in this SubKey we wanna create our SubKey OurSubKey db 'TE$T',0 ;the name of the SubKey to create RegHandle dd 0 ;handle of SubKey OurRegHandle dd 0 ;here we save our handle of the SubKey (TE$T) ;+++++ ; ohh, new things... ; but simply ; OurSubKey contains a NULLterminated string (can be anything =) ; When we create this SubKey, it's in HKEY_LOCAL_MACHINE\System\TE$T ; OurRegHandle, there we save the handle from HKEY_LOCAL_MACHINE\System\TE$T ; but in RegHandle, there is the handle from HKEY_LOCAL_MACHINE\System ; wow ;+++++ oTitle db '°Play with the Registry° - Example Prog - °3°',0 oMsg db 'Create a new SubKey:',10,13 db ' HKEY_LOCAL_MACHINE\System\TE$T',0 ;+++++ ; pose a little bit... ;+++++ .code start: ;+++++ ;if you don't know, FUCK YOU :) ;+++++ push offset RegHandle ;see _6_ ... push ReadAndWrite ;thanx, TASM push 0 ;NULLLL push offset SubKey ;\Sytem push HKEY_LOCAL_MACHINE ;thanx so much! call RegOpenKeyExA ;+++++ ; open HKEY_LOCAL_MACHINE\System ;+++++ test eax,eax ;error? jnz Exit ;+++++ ; ya know?!? ;+++++ push offset OurRegHandle ;here we save the handle of our SubKey push offset OurSubKey ;point's to the string, contain's our SubKey push dword ptr [RegHandle] ;handle of HKEY_LOCAL_MACHINE\System call RegCreateKeyA ;API ;+++++ ; here is the new thing, ; creates in "HKEY_LOCAL_MACHINE\System" the SubKey "TE$T" ;+++++ push 0 ;show the message push offset oTitle ;title push offset oMsg ;message push 0 ;no owner window... call MessageBoxA ;!SHOW! ;+++++ ; show the message that all is allright ;+++++ Exit: push dword ptr [OurRegHandle] ;close our SubKey call RegCloseKey ;+++++ ; first we must close our handle, and then... ;+++++ push dword ptr [RegHandle] ;close handle call RegCloseKey ;+++++ ; ...we must close the handle from HKEY_LOCAL_MACHINE\System ;+++++ push 0 call ExitProcess ;+++++ ; exit and good night! ;+++++ end start ;-----cut----------------------------------------------------------------------------------- Ok, run the prog... ... when you see a message, start RegEdit (C:\WINDOWS\RegEdit.EXE): click on HKEY_LOCAL_MACHINE \Sytem Yup, now you can see (if no error) "TE$T" SubKey, KEWL! If no message, there is a error! *** _9_ : °4° Set a Value **** MAN! Now we wanna SET A VALUE, in the SubKey that we create in the chapter before ( _8_ ) The ValueName is " Example Prog °4° " and the Value is " from -Play with the Registry- tut, written by DiA /auXnet ". Let's do this: ;-----cut-----Ex4.asm----------------------------------------------------------------------- .386 .model flat jumps ;+++++ ; I kill you, if you don't know ;) ;+++++ extrn RegOpenKeyExA :PROC ; _6_ extrn RegSetValueExA :PROC ;to set a Value in a opened SubKey extrn RegCloseKey :PROC ; _6_ ;+++++ ; we set the value in the SubKey ; HKEY_LOCAL_MACHINE\System\TE$T ;+++++ extrn MessageBoxA :PROC extrn ExitProcess :PROC ;+++++ ; show and exit ;+++++ HKEY_LOCAL_MACHINE equ 80000002h ;define ReadAndWrite equ 001F0000h SizeOfValue equ (offset ValueEnd - offset ValueStart) ;+++++ ; ya must know, TASM RULEZ ; SizeOfValue is defined for the API RegSetValueA, see down... ;+++++ .data SubKey db 'System\TE$T',0 ValueName db 'Example Prog °4°',0 ValueStart: Value db 'from -Play with the Registry- tut, written by DiA /auXnet',0 ValueEnd: RegHandle dd 0 ;+++++ ; ValueName : Value ; you will see it, and I think the rest is clear ;+++++ oTitle db '°Play with the Registry° - Example Prog - °4°',0 oMsg db 'Set the Value:',10,13 db ' - Example Prog °4° : from -Play with the Registry- tut, written by DiA /auXnet -',10,13 db ' in - HKEY_LOCAL_MACHINE\System\TE$T -',0 ;+++++ ; to show something ;+++++ .code start: ;+++++ ; hard to understand, not? ;) ;+++++ push offset RegHandle ;see _6_ push ReadAndWrite ;TASM... push 0 push offset SubKey ;create in chapter _8_ push HKEY_LOCAL_MACHINE ;...RULEZ call RegOpenKeyExA ;+++++ ; open the key that we create in cahpter _8_ (TE$T) ;+++++ test eax,eax ;error jnz Exit ;+++++ ; error -> exit ;+++++ push SizeOfValue ;contains the size of the value push offset Value ;value to set push 1 ;1 = String 0 = Number push 0 ;NULLNULLNULL push offset ValueName ;the name of value push dword ptr [RegHandle] ;set it in HKEY_LOCAL_MACHINE\System\TE$T call RegSetValueExA ;API ;+++++ ; now we set the Value in the ValueName ; the size is defined "SizeOfValue" ; in RegHandle, ya know... ;+++++ push 0 ;message box push offset oTitle push offset oMsg push 0 call MessageBoxA ;+++++ ; show a message box ;+++++ Exit: push dword ptr [RegHandle] ;close the handle call RegCloseKey ;+++++ ; close the handle before exit ;+++++ push 0 call ExitProcess ;+++++ ; exit the prog ;+++++ end start ;-----cut----------------------------------------------------------------------------------- Whatzz UP?!? Run the Example Prog, if you see the message, good! Start RegEdit, click on HKEY_LOCAL_MACHINE \System \TE$T Yeah, you will see the ValueName contains the Value that we set in the prog! ROCK 'N ROLL. No message, error ...sorry. *** _A_ : °5° Delete a Subkey *** The last Example Prog... Ok, we create a SubKey ( _8_ ) and set a Value ( _9_ ), now we don't wanna this shit anymore ...so we DELETE THE SUBKEY! See: ;-----cut-----Ex5.asm----------------------------------------------------------------------- .386 .model flat jumps ;+++++ ; what can I say? ;+++++ extrn RegOpenKeyExA :PROC ;man, look at _6_ extrn RegDeleteKeyA :PROC ;delete's a SubKey extrn RegCloseKey :PROC ;fuck off... ;+++++ ; new API RegDeleteKeyA delete's the subkey that we create ( _8_ ) ; also the Value that we set in chapter _9_ ;+++++ extrn MessageBoxA :PROC ;show extrn ExitProcess :PROC ;exit ;+++++ ; show & exit ;+++++ HKEY_LOCAL_MACHINE equ 80000002h ;define ReadAndWrite equ 001F0000h ;+++++ ; ya know, if not shutdown your computer ;) ;+++++ .data SubKey db 'System',0 OurSubKey db 'TE$T',0 RegHandle dd 0 ;+++++ ; first we must open HKEY_LOCAL_MACHINE\System ; to delete \TE$T ;+++++ oTitle db '°Play with the Registry° - Example Prog - °5°',0 oMsg db 'Delete SubKey:',10,13 db ' \TE$T in HKEY_LOCAL_MACHINE\System',0 ;+++++ ; poser! ;+++++ .code start: ;+++++ ; ARGH! ;+++++ push offset RegHandle ; _666_ push ReadAndWrite ;TASM, I luv ya push 0 push offset SubKey push HKEY_LOCAL_MACHINE call RegOpenKeyExA ;+++++ ; all know'n from chapter _6_ ;+++++ test eax,eax ;not jnz Exit ;NULL ;+++++ ; ERROR! ;+++++ push offset OurSubKey ;what delete? push dword ptr [RegHandle] ;in HKEY_LOCAL_MACHINE\System call RegDeleteKeyA ;API ;+++++ ; delete this fucking shit ; all is clear ;+++++ push 0 ;show message push offset oTitle push offset oMsg push 0 call MessageBoxA ;+++++ ; show THE message ;+++++ Exit: push dword ptr [RegHandle] ;close handle call RegCloseKey ;+++++ ; close the opened SubKey ;+++++ push 0 call ExitProcess ;+++++ ; exit ;+++++ end start ;-----cut----------------------------------------------------------------------------------- Run the prog, when you see the message the SubKey is deleted. Look at RegEdit: HEKEY_LOCAL_MACHINE\System ... no TE$T SubKey! No message -> error! *** _B_ : Outro *** All is done, now you have the most important knowledge to *Play with the Registry* =) Ok, we see us in another Tutorial... cya DiA *** #C# : Appendix = RegCounter *** Here comez a little code written by me, it's a counter that *Play with the Registry* : To Compile: TASM32 /z /ml /m3 RegCounter,,; TLINK32 -Tpe -c RegCounter,RegCounter,, import,lib ;-----cut-----RegCounter.asm---------------------------------------------------------------- .386 .model flat jumps extrn RegOpenKeyExA :PROC extrn RegQueryValueExA :PROC extrn RegCreateKeyA :PROC extrn RegDeleteKeyA :PROC extrn RegSetValueExA :PROC extrn RegCloseKey :PROC extrn MessageBoxA :PROC extrn ExitProcess :PROC .data Install db 'Not installed...',0 Msg db 'Install Counter in:',10,13 db ' HKEY_LOCAL_MACHINE\System\RegCounter',0 oTitle1 db 'NO',0 oMsg1 db 'Try it again...',0 oTitle2 db 'YES',0 oMsg2 db 'Here comeZ the Payload...',10,13 db ' HKEY_LOCAL_MACHINE\System\RegCounter',0 RegHandle dd 0 System_Counter db 'System\RegCounter',0 System db 'System',0 RegCounter db 'RegCounter',0 Number db 6 Value db 'Counter:',0 Size dd 1 CurrentNumber db 1 dup (0) lpType db 0 CopyRight db 'by DiA /auXnet (c)zooz',0 .code start: push offset RegHandle push 001F0000h push 0 push offset System_Counter push 80000002h call RegOpenKeyExA test eax,eax jnz CreateKey push offset Size push offset CurrentNumber push offset lpType push 0 push offset Value push dword ptr [RegHandle] call RegQueryValueExA cmp byte ptr [CurrentNumber],0 jz BOOM dec byte ptr [CurrentNumber] push 1 push offset CurrentNumber push 0 push 0 push offset Value push dword ptr [RegHandle] call RegSetValueExA push 0 push offset oTitle1 push offset oMsg1 push 0 call MessageBoxA jmp Exit BOOM: push offset RegHandle push 001F0000h push 0 push offset System push 80000002h call RegOpenKeyExA push offset RegCounter push dword ptr [RegHandle] call RegDeleteKeyA push 0 push offset oTitle2 push offset oMsg2 push 0 call MessageBoxA Exit: push 0 push 0 push 0 push 0 push offset CopyRight push dword ptr [RegHandle] call RegSetValueExA push dword ptr [RegHandle] call RegCloseKey push 0 call ExitProcess CreateKey: push 0 push offset Install push offset Msg push 0 call MessageBoxA push offset RegHandle push 001F0000h push 0 push offset System push 80000002h call RegOpenKeyExA push offset RegHandle push offset RegCounter push dword ptr [RegHandle] call RegCreateKeyA push 1 push offset Number push 0 push 0 push offset Value push dword ptr [RegHandle] call RegSetValueExA jmp Exit end start ;-----cut----------------------------------------------------------------------------------- ____________________________________________________________________________________________ DiA /auXnet (c)02 ____________________________________________________________________________________________